Security Architecture is superior to Control Frameworks — here's why

January 2018

Adapting a security control framework is a common response for an organisation when cyber security is a concern. This may be driven by an operational security function, a risk & governance function or a regulatory directive. I presume the readers of this article are familiar with abbreviations such as ISO, NIST, PCI, SANS, CIS, ISF, etc. These are the well-known organisations that published cyber security control frameworks (along with many other good things). They all provide good reference to build and organize security controls in a structure, facilitate maturity and risk assessments, and support gap analysis and remediation works as per a benchmark.

Some run these programs with internal resources, some bring external consultants to transfer the know-how from unbiased eyes. Regardless of the source of workforce, the control framework is the handbook of a security professional as the complex cyber security ecosystem can now be broken into simpler components with a clear taxonomy. This reductionist approach takes one piece of the problem (i.e. the control domain) at a time and isolates external factors so that it could be worked within the domain and results could be obtained quickly. Such an exercise typically reveals gaps for security controls or their effectiveness, usually obtained from qualitative interviews with domain stakeholders and evidence hunted thru information repositories. This is valuable work without doubt as organisations are able to evaluate and plan changes accordingly for remediation and improvement.